Researchers at the cyber security firm Zimperium have recently uncovered a vulnerability in roughly 95% of Android devices that has the potential to allow hackers to take total control over your phone with a simple picture message (MMS). The gritty details of this exploit have not been made public yet, but hackers now know the general framework for this type of attack, so you can be certain that they'll hammer out the details in no time.

To be clear, Zimperium is a security firm, so their main goal in discovering this vulnerability was to gain a little notoriety while helping Android manufacturers and developers plug up a potentially disastrous security risk. Nonetheless, the general basis for the attack is now public knowledge, so hackers with malicious intents need only to reverse-engineer some of the finer aspects of this exploit before they can actually start putting it to use.

How It Works

The premise is relatively simple—an attacker only needs your phone number to take total control of your Android device by sending an MMS with the malicious code embedded in it. This means that, theoretically, a hacker could send you an MMS message while you were asleep, take control over your phone, then remove all traces of the attack while you remained none the wiser.

Once the trojan file has been sent over MMS, the attacker can read your messages, retrieve your login credentials for various sites and services, operate your device's microphone, and access almost any file stored on your phone. To put it simply, a hacker could potentially gain access to all of the sensitive data stored on your smartphone by sending you a simple picture message.

Android devices can be hacked with a single MMS message.

What Devices Are Affected?

This particular attack exploits a security loophole in Android's media library (Stagefright) to gain escalating permissions. Since Stagefright has been the default media library in Android devices for the past 5 years, this exploit has the potential to compromise almost any phone running Android 2.2 (Froyo) through Android 5.1.1 (Lollipop).

When Is a Fix Coming?

Google has already added a fix for the Stagefright exploit to Android's code base, but this certainly doesn't mean that we're in the clear.

Consider the way Android updates usually work: First, Google adds new code to AOSP (which they've already done in this case). Then, Google pushes this updated version out to manufacturers like Samsung or HTC. The manufacturers then spend months adding their own custom tweaks to the firmware before sending it out to the cellular carriers. The carriers then spend another few months adding their own bloat to the firmware, and ultimately, the security fix is sent out to end users about 6 months after it was originally made.

It certainly won't take hackers a full 6 months to replicate this exploit, so in the meantime, we'll need to take matters into our own hands.

Disable MMS Auto-Retrieve to Prevent Attacks

Since the exploit works by sending an MMS that is automatically downloaded by your phone, the only way to prevent this attack is to set your phone to not automatically download MMS messages. The drawback here is that you'll have to tap future MMS messages to download them manually, but it's a small price to pay for security.

The process will vary depending on your text messaging app, but I'll outline it for some of the most popular messaging apps below.

Samsung Messages App:

If you're using the default Messages app on a Samsung device, start by heading to the Settings entry in app's main menu. From here, select "More settings," then "Multimedia messages." Finally, disable the "Auto retrieve" option to ensure that potentially dangerous MMS messages are not automatically downloaded.

Google Messenger App:

With the Google Messenger app, start by tapping the three-dot menu button in the app's top-right corner, then select the Settings entry. From here, choose Advanced, then make sure the "Auto-retrieve" option is disabled on the next screen.

Hangouts App:

To disable MMS auto-retrieve in the Hangouts messaging app, head to the side navigation menu and select Settings. Next, choose the SMS entry, then scroll down a bit, and make sure that the "Auto retrieve MMS" option is disabled.

From now on, your phone will no longer download MMS messages automatically, meaning the exploit can't be triggered on your phone without your knowledge. But you should still be very careful about opening MMS messages, and in general, do not open an MMS message that came from a phone number you don't recognize.

Personally, I think this exploit shines a light on Android's convoluted update process, because without the manufacturers and carriers meddling around with our phones' firmware, we could already have a fix for this issue sent directly from Google. What are your main concerns with the Stagefright exploit? Let us know in the comment section below, or drop us a line on Android Hacks' Facebook or Twitter, or Gadget Hacks' Facebook, Google+, or Twitter.

9 Comments

I got a problem with how this was announced. Right before a big convention in Vegas, they announce this vulnerability. No details, nothing. Can you say "PR STUNT"? I knew you could. This may be legit, it may be just a way for this company to get press, we won't know until it's released. I, for one, am glad that I have a phone that has the boot loader either broken or unlocked or bypassed, that allows me to put third party OS on my phone and things like this get fixed, rather than waiting on the @#%@#$@!#%#$^#@$%@!#$@# carrier (Verizon) to get around to it, which they won't for older phones.

Just an FYI, for the Lollipop version on Samsung there is no "More Setting" option in the messaging app, it goes right to "Multimedia messages." For those who can't find the "More Settings" see if it's a step you can skip.